Commitment to transparency increases local government cyber-exposures

Risk Matters - Autumn 2023

Sophisticated criminals are targeting local governments across Australia with social engineering campaigns born from publicly available information.

As public authorities, West Australian local governments have to balance the tension between public expectations of transparency and security.

Legislative and regulatory commitments, as well as public expectations, see LGIS members publicly publishing information such as creditor details including names, addresses, emails, EOIs and respondents, and contract appointments.

It’s important that local governments – officers and councillors – recognise that commitment to transparency also increases vulnerabilities to social engineering attacks.

People risk workshops to help members meet PCBU responsibilities

Training your people is a key element of your WHS responsibilities and LGIS has developed a suite of workshops to address common issues within local governments.

Definitions

Social engineering: Social engineering or ‘human hacking’ involves psychological manipulation to trick users into divulging confidential information or gaining unauthorised access to systems.

Phishing: Is a form of social engineering, it involves the fraudulent practice of sending emails or other messages pretending to be from reputable sources in order to induce individuals to reveal personal information, such as passwords and credit card numbers, or change financial details such as creditor bank accounts.

Other sections in this season's Risk Matters

Case study: LGIS member attacked in 2022

A WA regional local government recently fell victim to a social engineering fraud scheme leading to a financial loss of over $1 million. An employee received a phishing email, which looked like it was from one of their service providers. Opening a document attached to the said email subsequently gave the hackers access to their supplier list. The hackers then deceived those staff members to make changes to the payment information for a supplier within the financial system to a nonlegitimate bank account.

In one of the emails the scammers, impersonating a member of the finance team, said that they had already verified the new account details of the supplier and requested this change.

There was a series of automatic email conversations between the two employees over change of supplier’s account details, which were never received by the owner of the hacked email address.

Attackers had created several rules in the email settings through which all emails received from another employee were marked as read and sent to RSS subscriptions folder. It was a routine check of risky sign logs conducted by the local government’s authorised cyber-security supplier which noticed unauthorised logins from another country.

The request to change account details was not verified outside of the email conversation.

The local government relied on email conversations because the employees were not in the office together, and worked remotely.

It is important to note here that the banking institution did inform the local government member before processing the amount to the new bank account; however they permitted the transaction considering that, in their view, the new bank details were completely genuine. Following that the payment was made into the scammers account.

The local government discovered that they had been compromised when the legitimate supplier contacted them following up payment of invoices. The local government then discovered that payment for two legitimate invoices had been made to the wrong account.

Common scams associated with BEC:

  • Invoice fraud – hackers usually compromise a supplier’s email account and gain access to legitimate invoices. They edit contact and bank details on those invoices and send it to local government members for payments.
  • Employee impersonation – employee emails are compromised and used by hackers to generate false invoices or request change of bank information.
  • Company impersonation – criminals sometimes register a similar domain name to the organisations a vendor is dealing with. Impersonating a local government, they request quotes for expensive items like laptops.

Tips to prevent social engineering risks

  • Establish a system to make sure that changes in contact and bank information is only done after human verification.
  • Use spam and message scanning services to filter suspicious content.
  • Educate employees on the risks of opening attachments and links from unknown sources.
  • Implement a multi-factor authentication system.
  • Always update anti-malware software on a regular basis.

For support on improving your local government’s cyber-security practices, contact the LGIS risk team.

Share on Twitter
Share on LinkedIn

Other sections of this season's Risk Matters

Group of City of Mandurah workers near truck

Protecting local government on the move

Whether it’s making sure that waste is collected, roads are maintained and that sports fields are bounce down ready, it only happens because of the sector’s specialist equipment and operators’ breadth of fleet and assets.

Read more »
Row of City of Mandurah plant fleet vehicles

City of Mandurah a stand out performer

The City of Mandurah was one of the 17 LGIS members who participated in the motor fleet pilot program. Across the City there’s
a proactive risk approach and this was apparent when assessing
their fleet and plant management.

Read more »